State of the Internet / Security: Credential Stuffing: Attacks and Economies

Akamai recorded nearly 30 billion credential stuffing attacks in 2018. Each attack represented an attempt by a person or computer to log in to an account with a stolen or generated username and password. The vast majority of these attacks were performed by botnets or all-in-one applications.

Botnets are groups of computers tasked with various commands. They can be instructed to find accounts that are vulnerable to being accessed by someone other than the account owner; these are called account takeover (ATO) attacks. AIO applications allow an individual to automate the login or ATO process, and they are key tools for account takeovers and data harvesting.

What does this have to do with media organizations, gaming companies, and the entertainment industry? A lot. These organizations are among the biggest targets of credential stuffing attacks. The people behind these attacks realize the value of an account, whether it’s to a streaming site, a game, or someone’s social media account. And they’re willing to do whatever it takes to steal them.

In this report, we’re going to give you an overview of the credential stuffing attacks in 2018 against the aforementioned sectors and look at the risks these attacks pose. We’ll also explore some of the ways adversaries conduct these attacks.